βΌ CVE-2021-24879 βΌ
π Read
via "National Vulnerability Database".
The SupportCandy WordPress plugin before 2.2.7 does not have CSRF check in the wpsc_tickets AJAX action, nor has any sanitisation or escaping in some of the filter fields which could allow attackers to make a logged in user having access to the ticket lists dashboard set an arbitrary filter (stored in their cookies) with an XSS payload in it.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25105 βΌ
π Read
via "National Vulnerability Database".
The Ivory Search WordPress plugin before 5.4.1 does not escape some of the Form settings, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24878 βΌ
π Read
via "National Vulnerability Database".
The SupportCandy WordPress plugin before 2.2.7 does not sanitise and escape the query string before outputting it back in pages with the [wpsc_create_ticket] shortcode embed, leading to a Reflected Cross-Site Scripting issueπ Read
via "National Vulnerability Database".
βΌ CVE-2021-24928 βΌ
π Read
via "National Vulnerability Database".
The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content (for example with an XSS payload), as well as exfiltrate any data by copying it to another post.π Read
via "National Vulnerability Database".
βΌ CVE-2021-24947 βΌ
π Read
via "National Vulnerability Database".
The RVM WordPress plugin before 6.4.2 does not have proper authorisation, CSRF checks and validation of the rvm_upload_regions_file_path parameter in the rvm_import_regions AJAX action, allowing any authenticated user, such as subscriber, to read arbitrary files on the web serverπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25004 βΌ
π Read
via "National Vulnerability Database".
The SEUR Oficial WordPress plugin before 1.7.2 creates a PHP file with a random name when installed, even though it is used for support purposes, it allows to download any file from the web server without restriction after knowing the URL and a password than an administrator can see in the plugin settings page.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25108 βΌ
π Read
via "National Vulnerability Database".
The IP2Location Country Blocker WordPress plugin before 2.26.6 does not have CSRF check in the ip2location_country_blocker_save_rules AJAX action, allowing attackers to make a logged in admin block arbitrary country, or block all of them at once, preventing users from accessing the frontend.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25029 βΌ
π Read
via "National Vulnerability Database".
The CLUEVO LMS, E-Learning Platform WordPress plugin before 1.8.1 does not sanitise and escape Course's module, which could allow high privilege users to perform Cross-Site Scripting attacks even when the unfiltered_html capability is disallowedπ Read
via "National Vulnerability Database".
βΌ CVE-2021-25095 βΌ
π Read
via "National Vulnerability Database".
The IP2Location Country Blocker WordPress plugin before 2.26.5 does not have authorisation and CSRF checks in the ip2location_country_blocker_save_rules AJAX action, allowing any authenticated users, such as subscriber to call it and block arbitrary country, or block all of them at once, preventing users from accessing the frontend.π Read
via "National Vulnerability Database".
βΌ CVE-2021-25096 βΌ
π Read
via "National Vulnerability Database".
The IP2Location Country Blocker WordPress plugin before 2.26.5 bans can be bypassed by using a specific parameter in the URLπ Read
via "National Vulnerability Database".
β Roaming Mantis Expands Android Backdoor to Europe β
π Read
via "Threat Post".
The 'smishing' group lives up to its name, expanding globally and adding image exfiltration to the Wroba RAT it uses to infect mobile victims.π Read
via "Threat Post".
Threat Post
Roaming Mantis Expands Android Backdoor to Europe
The 'smishing' group lives up to its name, expanding globally and adding image exfiltration to the Wroba RAT it uses to infect mobile victims.
β QuaDream, 2nd Israeli Spyware Firm, Weaponizes iPhone Bug β
π Read
via "Threat Post".
The now-patched flaw that led to the ForcedEntry exploit of iPhones was exploited by both NSO Group and a different, newly detailed surveillance vendor.π Read
via "Threat Post".
Threat Post
QuaDream, 2nd Israeli Spyware Firm, Weaponizes iPhone Bug
The now-patched flaw that led to the ForcedEntry exploit of iPhones was exploited by both NSO Group and a different, newly detailed surveillance vendor.
βΌ CVE-2022-23262 βΌ
π Read
via "National Vulnerability Database".
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-23263.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23263 βΌ
π Read
via "National Vulnerability Database".
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability. This CVE ID is unique from CVE-2022-23262.π Read
via "National Vulnerability Database".
βΌ CVE-2022-23261 βΌ
π Read
via "National Vulnerability Database".
Microsoft Edge (Chromium-based) Tampering Vulnerability.π Read
via "National Vulnerability Database".
π΄ When Multifactor Authentication Is Compromised: Fighting Back With AI π΄
π Read
via "Dark Reading".
Now that attackers can bypass preventative controls, we need to find and stop the attackers when they're already inside.π Read
via "Dark Reading".
Dark Reading
When Multifactor Authentication Is Compromised: Fighting Back With AI
Now that attackers can bypass preventative controls, we need to find and stop the attackers when they're already inside.
π Massachusetts Latest State to Advance Data Privacy Bill π
π Read
via "".
The bill marks the first time that comprehensive data privacy legislation has advanced out of committee in Massachusetts.π Read
via "".
Digital Guardian
Massachusetts Latest State to Advance Data Privacy Bill
The bill marks the first time that comprehensive data privacy legislation has advanced out of committee in Massachusetts.
π΄ A Prophylactic Approach for Today's Vulnerable Websites and Web Apps π΄
π Read
via "Dark Reading".
Take a proactive approach to client-side security: Why monitoring your JavaScript programming language is so important to your overall security posture.π Read
via "Dark Reading".
Dark Reading
A Prophylactic Approach for Today's Vulnerable Websites and Web Apps
Take a proactive approach to client-side security: Why monitoring your JavaScript programming language is so important to your overall security posture.
βοΈ IRS To Ditch Biometric Requirement for Online Access βοΈ
π Read
via "Krebs on Security".
The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency's website. The reversal comes as privacy experts and lawmakers have been pushing the IRS and other federal agencies to find less intrusive methods for validating one's identity with the U.S. government online.π Read
via "Krebs on Security".
Krebsonsecurity
IRS To Ditch Biometric Requirement for Online Access
The Internal Revenue Service (IRS) said today it will be transitioning away from requiring biometric data from taxpayers who wish to access their records at the agency's website. The reversal comes as privacy experts and lawmakers have been pushing theβ¦
βΌ CVE-2022-21814 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver package, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.π Read
via "National Vulnerability Database".
βΌ CVE-2022-21813 βΌ
π Read
via "National Vulnerability Database".
NVIDIA GPU Display Driver for Linux contains a vulnerability in the kernel driver, where improper handling of insufficient permissions or privileges may allow an unprivileged local user limited write access to protected memory, which can lead to denial of service.π Read
via "National Vulnerability Database".